Caucho Technology Resin Viewfile 'file' Parameter Cross Site Scripting Vulnerability
BID:29948
Info
Caucho Technology Resin Viewfile 'file' Parameter Cross Site Scripting Vulnerability
| Bugtraq ID: | 29948 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-2462 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 25 2008 12:00AM |
| Updated: | Jun 27 2008 12:11AM |
| Credit: | Tomasz Kuczynski |
| Vulnerable: |
Caucho Technology Resin 3.1.1 Caucho Technology Resin 3.1 Caucho Technology Resin 3.0.19 Caucho Technology Resin 3.0.18 Caucho Technology Resin 3.0.17 Caucho Technology Resin 3.0.16 Caucho Technology Resin 2.1.12 Caucho Technology Resin 2.1.2 Caucho Technology Resin 2.1.1 Caucho Technology Resin 2.1 .s020711 Caucho Technology Resin 2.0 b2 Caucho Technology Resin 2.0 Caucho Technology Resin 1.3 Caucho Technology Resin 1.2.5 Caucho Technology Resin 1.2.3 Caucho Technology Resin 1.2.2 Caucho Technology Resin 1.2 Caucho Technology Resin 1.1 |
| Not Vulnerable: |
Caucho Technology Resin 3.1.4 Caucho Technology Resin 3.0.25 |
Discussion
Caucho Technology Resin Viewfile 'file' Parameter Cross Site Scripting Vulnerability
Caucho Technology Resin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Resin 3.0.25 and 3.1.4 are vulnerable.
Caucho Technology Resin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Resin 3.0.25 and 3.1.4 are vulnerable.
Exploit / POC
Caucho Technology Resin Viewfile 'file' Parameter Cross Site Scripting Vulnerability
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
Solution / Fix
Caucho Technology Resin Viewfile 'file' Parameter Cross Site Scripting Vulnerability
Solution:
The vendor has addressed this issue in Resin 3.0.25 and 3.1.4. Please see the references for more information.
Solution:
The vendor has addressed this issue in Resin 3.0.25 and 3.1.4. Please see the references for more information.
References
Caucho Technology Resin Viewfile 'file' Parameter Cross Site Scripting Vulnerability
References:
References:
- Resin Homepage (Caucho Technology)
- Vulnerability Note VU#305208 Caucho Resin vulnerable to XSS via "file" parameter (US-CERT)